c. Impact plus frequency of occurrence

d. Impact divided by frequency of occurrence

130. a. Quantitative means of expressing both potential impact and estimated frequency of occurrence are necessary to perform a risk analysis. The essential elements of a risk analysis are an assessment of the damage that can be caused by an unfavorable event and an estimate of how often such an event may happen in a period of time. Because the exact impact and frequency cannot be specified accurately, it is only possible to approximate the loss with an annual loss exposure, which is the product of the estimated impact in dollars and the estimated frequency of occurrence per year. The product of the impact and the frequency of occurrence would be the statement of loss.

131. A risk analysis provides management of all the following except:

a. Accepting the occurrence of a harmful event

b. Reducing the impact of occurrence of a harmful event

c. Ranking critical applications

d. Recognizing that a potential for loss exists

131. c. A risk analysis provides senior management with information to base decisions on, such as whether it is best to accept or prevent the occurrence of a harmful event, to reduce the impact of such occurrences, or to simply recognize that a potential for loss exists.

The risk analysis should help managers compare the cost of the probable consequences to the cost of effective safeguards. Ranking critical applications comes after the risk analysis is completed. Critical applications are those without which the organization could not function. Proper attention should be given to ensure that critical applications and software are sufficiently protected against loss.

132. Which of the following methods for handling risk involves a third party?

a. Accepting risk

b. Eliminating risk

c. Reducing risk

d. Transferring risk

132. d. An insurance company or a third party is involved in transferring risk. All the other three choices do not involve a third party because they are handled within an organization.

133. Which of the following security risk assessment techniques uses a group of experts as the basis for making decisions or judgments?

a. Risk assessment audits

b. Delphi method

c. Expert systems

d. Scenario-based threats

133. b. The Delphi method uses a group decision-making technique. The rationale for using this technique is that it is sometimes difficult to get a consensus on the cost or loss value and the probabilities of loss occurrence. Group members do not meet face-to-face. Rather, each group member independently and anonymously writes down suggestions and submits comments that are then centrally compiled. This process of centrally compiling the results and comments is repeated until full consensus is obtained.

Risk assessment audits are incorrect because these audits do not provide the same consensus as the one reached by a group of experts in the Delphi method. Usually, one or two individuals perform audits, not groups. Expert systems are incorrect because they are computer-based systems developed with the knowledge of human experts. These systems do not reach a consensus as a group of people. Scenario-based threats are incorrect because possible threats are identified based on scenarios by a group of people. However, this system does not have the same consensus reached as in the Delphi method. The process of submitting results and comments makes the Delphi method more useful than the other methods.

134. The costs and benefits of security techniques should be measured in monetary terms where possible. Which of the following is the most effective means to measure the cost of addressing relatively frequent threats?

a. Single-occurrence losses

b. Annualized loss expectancy

c. Fatal losses

d. Catastrophic losses

134. b. The annualized loss expectancy (ALE) is the estimated loss expressed in monetary terms at an annual rate, for example, dollars per year. The ALE for a given threat with respect to a given function or asset is equal to the product of the estimates of occurrence rate, loss potential, and vulnerability factor.

Single-occurrence loss (SOL) is incorrect because it is the loss expected to result from a single occurrence of a threat. It is determined for a given threat by first calculating the product of the loss potential and vulnerability factor for each function and asset for the threat being analyzed. Then the products are summed to generate the SOL for the threat. Because the SOL does not depend on an estimate of the threat’s occurrence rate, it is particularly useful for evaluating rare but damaging threats. If a threat’s SOL estimate is unacceptably high; it is prudent risk management to take security actions to reduce the SOL to an acceptable level.

Both fatal losses and catastrophic losses are big and rare. Fatal losses involve loss of human life, and catastrophic loss incurs great financial loss. In short, the ALE is useful for addressing relatively frequent threats, whereas SOL and fatal or catastrophic losses address rare threats.

135. Surveys and statistics indicate that the greatest threat to any computer system is:

a. Untrained or negligent users

b. Vendors and contractors

c. Hackers and crackers

d. Employees

135. d. Employees of all categories are the greatest threat to any computer system because they are trusted the most. They have access to the computer system, they know the physical layout of the area, and they could misuse the power and authority. Most trusted employees have an opportunity to perpetrate fraud if the controls in the system are weak. The consequence of untrained or negligent users is the creation of errors and other minor inconveniences.

Although vendors and contractors are a threat, they are not as great a threat as employees are. With proper security controls, threats arising from hackers and crackers can be minimized, if not completely eliminated. Hackers and crackers are the same, and they access computer systems for fun and/or damage.

136. Risk management consists of risk assessment and risk mitigation. Which of the following is not an element of risk mitigation?

a. Measuring risk

b. Selecting appropriate safeguards

c. Implementing and test safeguards

d. Accepting residual risk

136. a. The term risk management is commonly used to define the process of determining risk, applying controls to reduce the risk, and then determining if the residual risk is acceptable. Risk management supports two goals: measuring risk (risk assessment) and selecting appropriate controls that can reduce risk to an acceptable level (risk mitigation). Therefore, measuring risk is part of risk assessment.

The other three choices are incorrect because they are elements of risk mitigation. Risk mitigation involves three steps: determining those areas where risk is unacceptable; selecting effective safeguards and evaluating the controls; and determining if the residual risk is acceptable.

137. The value of information is measured by its:

a. Negative value

b. Value to the owner